Re: Vulnerability in OpenSSL 1.0.x & Firefox 4 Silent Updates

[Andrew Lewman <andrew@xxxxxxxxxxxxxx>]

On Wed, 11 Aug 2010 02:42:15 -0400
whowatchesthewatcherswatches@xxxxxxxxxxxxx wrote:

> Vulnerability in OpenSSL 1.0.x
> http://marc.info/?t=128118169100001&r=1&w=2
> http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html
> 
> Tor server/client use vuln?

Unknown, the real bug seems to be explained here,
http://marc.info/?l=openssl-dev&m=128128256314328&w=2

I'll let Nick or someone more familiar with openssl explain the risk
better. 

> Firefox 4 Silent Updates
> http://news.slashdot.org/story/10/08/07/1239224/Like-Googles-Chrome-Mozilla-To-Silently-Update-Firefox-4

This is why we repeatedly say to stick with the firefox versions we
have analyzed.  New features aren't analyzed and/or mitigated with
torbutton yet.  Something like this should be caught and stopped by
future versions of torbutton.  

We've only analyzed the Firefox 3.5.x codebase.  3.6 is next, or maybe
we just skip and go to 4.x.  There is exactly one person working on
this, so if people want faster updates to torbutton, more help is
needed.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B
+1-781-352-0568

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
skype:  lewmanator
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/